HAL browser not working behind zuul with csrf protection [DATAREST-980]

[spring-projects-issues]

Javier Alejandro Miño opened DATAREST-980 and commented

When I run the HAL browser behind a Zuul proxy that has a csrf protection the post request fail due to the following:

{
  "timestamp": 1484401944482,
  "status": 403,
  "error": "Forbidden",
  "message": "Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'.",
  "path": "/office-league/heroes"
}

This should be very easy to solve by adding to CustomPostForm.js the capabilitie to send a header ``` X-XSRF-TOKEN

```XSRF-TOKEN
``` is present.

I attached a pull request please let me know if something needs to be updated or changed. 

---

Affects: 2.5.6 (Hopper SR6)

Referenced from: pull request https://github.com/spring-projects/spring-data-rest/pull/253

[spring-projects-issues]

Oliver Drotbohm commented

Thanks, Javier. That looks decent. Rob Winch — Would you mind having a brief look?

[spring-projects-issues]

Rob Winch commented

This looks like an improvement. It is important to keep in mind that the CSRF token is typically stored in a cookie which is HttpOnly to be as secure as possible by default. This means that this code will not work with the default settings.

[spring-projects-issues]

Javier Alejandro Miño commented

This repository shows an example of this issue: https://github.com/javiersvg/hal-browser-zuul-issue-demo

This repository has a branch named DATAREST-980 branch with the proposed solution applied.

I am not sure what you mean by default settings but let me know if there is any information that I can provide that might help you with this